Smooth talking hackers are increasingly using social engineering methods, including a technique called Vishing (by phone) to con corporate service desk supporters to issue passwords for real users.
It is estimated vishing or telephone fraud leads to an annual global loss of about $46.3 billion.
Vishing is phone based social engineering used when a criminal impersonates another person to get relevant information resulting in a data breach, according to Denmark based FastPassCorp which specializes in making password processes easy and secure for large organizations. FastPass is used to protect thousands of companies worldwide and passed one million end-users years ago.
What you need to know about Vishing (phone hacking) by FastPassCorp
What is Vishing?
Vishing is phone based social-engineering. It is when a criminal impersonates another person to get relevant information resulting in a data breach. There are three types of vishing:
A consumer is tricked to give away personal information like credit card information or passwords;
A corporate user is tricked to give away company values like the passwords for the victim’s accounts or do transactions in the criminal’s interest, like transferring money;
The victim is an important corporate user; the criminal calls a privileged user like the service desk to get the password for the targeted victim. The criminal has prepared, before the call, emotions to use on the service desk for the hacking.
Are vishing and phishing the same?
Vishing and phishing are to attack different vectors in the social-engineering arsenal.
Phishing is like old-time artillery: Cover a large area with enough grenades (e.g. calls/emails) and hope to hit someone who will respond positively to the call to action, such as by giving away account numbers and passwords. Vishing is like modern elite troops: target a specific, high-importance person, make very detailed plans and execute with resolve.
How does vishing work?
Let’s say a hacker wants to get access to specific important user’s accounts. The first thing they will probably do is send phishing emails. If the target person is protected with technical, anti-phishing solutions, awareness training and intelligence, it’s very unlikely the hacker will be successful.
The hacker might then try a vishing attack, by making a phone call to the target. If the target person is intelligent, however, it’s very unlikely that they will give away any passwords/account numbers or transfer money. Next hacker target? Service desk employees.
Target the weakest link: People working the Service/Help desk
The weakest point in the defense is someone who has access privileges to the target victim’s information and passwords. That’s the service desk/helpdesk. IT services supporters are trained to give service and do it fast – it’s the ideal milieu for a social-engineering victim. The core strategy is to elicit emotions that will make the victim give the hacker what they ask for.
Vishing Attacks – Work the victim’s emotions
Typical hacker emotions including pretending to be a sympathetic person; soliciting empathy from the service desk; the hacker claims to be in an urgent, difficult situation asking for help.
The hacker pretends to have a difficult problem, taking advantage of service desk pride and their “special skills” to solve the password problem.
The hacker tries to make the service desk employee fearful. The criminal pretends to have a high position in the company: “Listen, I’m the CEO of this company and I need this information right now”, threatening to fire the employee.
Vishing Isn’t Going Away
From 2013 to 2018, social engineering attacks involved in data breaches grew from 18% to 35%
29% of incidents in 2019 involved stolen credentials = passwords.
It is estimated vishing or phone fraud leads to an annual global loss of about $46.3 billion.
Prevention against vishing must involve solutions where decisions are based on facts and not emotions. The FastPass Identity Verification Client (IVC) is a secure workflow that takes control of the verification process.
In the words of Finn Jensen, Chief Executive Officer of FastPassCorp: “We believe that many successful vishing attacks are never disclosed, and hence not reported anywhere. If the hacker wants access to high value data, he will copy the data and leave and never return. Later, the organization will not understand how a competitor, the press, public organizations, etc. got access to the data.
Who is really on the phone?
How can you tell? Hackers are smart; their tools include voice simulators, telephone spoofing (phony phone numbers and locations), SMS copying and other sophisticated tactics. Hackers don’t succeed even with these techniques if helpdesk workers follow a strict, hacker interrogation with multiple identity verification tests.
IVC controls the entire verification process, collecting a lot of data automatically and instructing the service desk employee exactly what questions to ask the criminal. Based on algorithms for the different users group, IVC will decide the verification has been successfully completed – and the person on the other end of the phone, is, in fact, who they claim to be.
From Finn Jensen: “If we want to take human error out of the identity verification equations, we must have an IT workflow controlling the agent. The process must be designed according to security specifications from IT security. There should be different processes for user groups with different security profiles. The tests must include many different items: data, tokens and even manager approval, when needed.”
How It Works
When a person calls the service desk to get a password reset, then the service desk supporter uses IVC to verify the identity of the caller. It’s an unbreakable checklist, with information known only to the legitimate user and IVC.
For each correct or trustworthy answer, IVC credits points to the call. When enough points have been reached, only then will IVC release a new password to be sent to the user.